.TH "Flow filter in tc" 8 "20 Oct 2015" "iproute2" "Linux"

.SH NAME

flow \- flow based traffic control filter

.SH SYNOPSIS

.TP

Mapping mode:

.RS

.in +8

.ti -8

.BR tc " " filter " ... " "flow map key "

.IR KEY " [ " OPS " ] [ " OPTIONS " ] "

.RE

.TP

Hashing mode:

.RS

.in +8

.ti -8

.BR tc " " filter " ... " "flow hash keys "

.IR KEY_LIST " [ "

.B perturb

.IR secs " ] [ " OPTIONS " ] "

.RE

.in +8

.ti -8

.IR OPS " := [ " OPS " ] " OP

.ti -8

.IR OPTIONS " := [ "

.B divisor

.IR NUM " ] [ "

.B baseclass

.IR ID " ] [ "

.B match

.IR EMATCH_TREE " ] [ "

.B action

.IR ACTION_SPEC " ]"

.ti -8

.IR KEY_LIST " := [ " KEY_LIST " ] " KEY

.ti -8

.IR OP " := { "

.BR or " | " and " | " xor " | " rshift " | " addend " } "

.I NUM

.ti -8

.IR ID " := " X : Y

.ti -8

.IR KEY " := { "

.BR src " | " dst " | " proto " | " proto-src " | " proto-dst " | " iif " | "

.BR priority " | " mark " | " nfct " | " nfct-src " | " nfct-dst " | "

.BR nfct-proto-src " | " nfct-proto-dst " | " rt-classid " | " sk-uid " | "

.BR sk-gid " | " vlan-tag " | " rxhash " }"

.SH DESCRIPTION

The

.B flow

classifier is meant to extend the

.B SFQ

hashing capabilities without hard-coding new hash functions. It also allows

deterministic mappings of keys to classes.

.SH OPTIONS

.TP

.BI action " ACTION_SPEC"

Apply an action from the generic actions framework on matching packets.

.TP

.BI baseclass " ID"

An offset for the resulting class ID.

.I ID

may be

.BR root ", " none

or a hexadecimal class ID in the form [\fIX\fB:\fR]\fIY\fR. \fIX\fR must

match qdisc's/class's major handle (if omitted, the correct value is chosen

automatically). If the whole \fBbaseclass\fR is omitted, \fIY\fR defaults

to 1.

.TP

.BI divisor " NUM"

Number of buckets to use for sorting into. Keys are calculated modulo

.IR NUM .

.TP

.BI "hash keys " KEY-LIST

Perform a

.B jhash2

operation over the keys in

.IR KEY-LIST ,

the result (modulo the

.B divisor

if given) is taken as class ID, optionally offset by the value of

.BR baseclass .

It is possible to specify an interval (in seconds) after which

.BR jhash2 's

entropy source is recreated using the

.B perturb

parameter.

.TP

.BI "map key " KEY

Packet data identified by

.I KEY

is translated into class IDs to push the packet into. The value may be mangled by

.I OPS

before using it for the mapping. They are applied in the order listed here:

.RS

.TP 4

.BI and " NUM"

Perform bitwise

.B AND

operation with numeric value

.IR NUM .

.TP

.BI or " NUM"

Perform bitwise

.B OR

operation with numeric value

.IR NUM .

.TP

.BI xor " NUM"

Perform bitwise

.B XOR

operation with numeric value

.IR NUM .

.TP

.BI rshift " NUM"

Shift the value of

.I KEY

to the right by

.I NUM

bits.

.TP

.BI addend " NUM"

Add

.I NUM

to the value of

.IR KEY .

.RE

.RS

For the

.BR or ", " and ", " xor " and " rshift

operations,

.I NUM

is assumed to be an unsigned, 32bit integer value. For the

.B addend

operation,

.I NUM

may be much more complex: It may be prefixed by a minus ('-') sign to cause

subtraction instead of addition and for keys of

.BR src ", " dst ", " nfct-src " and " nfct-dst

it may be given in IP address notation. See below for an illustrating example.

.RE

.TP

.BI match " EMATCH_TREE"

Match packets using the extended match infrastructure. See

.BR tc-ematch (8)

for a detailed description of the allowed syntax in

.IR EMATCH_TREE .

.SH KEYS

In mapping mode, a single key is used (after optional permutation) to build a

class ID. The resulting ID is deducible in most cases. In hashing more, a number

of keys may be specified which are then hashed and the output used as class ID.

This ID is not deducible in beforehand, and may even change over time for a

given flow if a

.B perturb

interval has been given.

The range of class IDs can be limited by the

.B divisor

option, which is used for a modulus.

.TP

.BR src ", " dst

Use source or destination address as key. In case of IPv4 and TIPC, this is the

actual address value. For IPv6, the 128bit address is folded into a 32bit value

by XOR'ing the four 32bit words. In all other cases, the kernel-internal socket

address is used (after folding into 32bits on 64bit systems).

.TP

.B proto

Use the layer four protocol number as key.

.TP

.B proto-src

Use the layer four source port as key. If not available, the kernel-internal

socket address is used instead.

.TP

.B proto-dst

Use the layer four destination port as key. If not available, the associated

kernel-internal dst_entry address is used after XOR'ing with the packet's

layer three protocol number.

.TP

.B iif

Use the incoming interface index as key.

.TP

.B priority

Use the packet's priority as key. Usually this is the IP header's DSCP/ECN

value.

.TP

.B mark

Use the netfilter

.B fwmark

as key.

.TP

.B nfct

Use the associated conntrack entry address as key.

.TP

.BR nfct-src ", " nfct-dst ", " nfct-proto-src ", " nfct-proto-dst

These are conntrack-aware variants of

.BR src ", " dst ", " proto-src " and " proto-dst .

In case of NAT, these are basically the packet header's values before NAT was

applied.

.TP

.B rt-classid

Use the packet's destination routing table entry's realm as key.

.TP

.B sk-uid

.TQ

.B sk-gid

For locally generated packets, use the user or group ID the originating socket

belongs to as key.

.TP

.B vlan-tag

Use the packet's vlan ID as key.

.TP

.B rxhash

Use the flow hash as key.

.SH EXAMPLES

.TP

Classic SFQ hash:

.EX

tc filter add ... flow hash \\

	keys src,dst,proto,proto-src,proto-dst divisor 1024

.EE

.TP

Classic SFQ hash, but using information from conntrack to work properly in combination with NAT:

.EX

tc filter add ... flow hash \\

	keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst \\

	divisor 1024

.EE

.TP

Map destination IPs of 192.168.0.0/24 to classids 1-256:

.EX

tc filter add ... flow map \\

	key dst addend -192.168.0.0 divisor 256

.EE

.TP

Alternative to the above:

.EX

tc filter add ... flow map \\

	key dst and 0xff

.EE

.TP

The same, but in reverse order:

.EX

tc filter add ... flow map \\

	key dst and 0xff xor 0xff

.EE

.SH SEE ALSO

.BR tc (8),

.BR tc-ematch (8),

.BR tc-sfq (8)